Forum Discussion

Nimbostratus

Jan 25, 2016

Multiple F5 IdPs on One Access Profile w/IdP and SP-Initiated Logon

Here is my scenario: I have multiple external SAML services that we need the F5s to function as an IdP for. The F5s need to support both IdP and SP initiated authentication to all of the externa...

BIG-IP Access Policy Manager (APM)

cloud

saml

Michael_Koyfma1

Cirrus

Jan 25, 2016

I think there is some confusion there. Have you seen this part of the documentation?

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/28.html

If you want to support SP and IDP-initiated connections, then you need to create SAML Resource objects and assign them to the webtop. So, the best practice setup for you would be to create unique IDP object per each SP you have(the entity ID can be the same/redundant across all IDP configs), then bind each IDP and SP connector together, create SAML Resource object, and assign all SAML resource objects to the webtop.

After that, you should have both SP and IDP-initiated logins work without issues - do not assign anything to the SSO at the Access Profile level in order for this work.

Forum Discussion

Multiple F5 IdPs on One Access Profile w/IdP and SP-Initiated Logon

Recent Discussions

iRule resulting in too many redirects

ASM cookie, modifying "domain" field

URL

service profile HTTP in LTM v16.1?

Azure SAML - F5 APM

Related Content

SSL PROFILE - How to use multiple SSL Profile Client in Virtual Server

SSL Profiles

AS3 - Create multiple client ssl profiles to a single virtual server.

Multiple Kubernetes Clusters and Path-Based Routing with F5 Distributed Cloud

Server Profile SNI